... | ... | @@ -274,7 +274,7 @@ class MyView1(APIView): |
|
|
|
|
|
This permission requires a `.queryset` or a `.get_queryset` method to be set on the view. It is used to determine the model against which to check the users's ACL. The ACL used are the one that makes the most sense according the HTTP method used (e.g. GET will lead to checking `model.can_view_all`, POST will lead to checking `model.can_create`).
|
|
|
|
|
|
If the view is targeting an object precisely, DRF's generic views will additionally call the method `has_obj_permission` whose role is to check the user has the correct ACL for the operation asked (e.g. GET will lead to checking `obj.can_see`, DELETE will lead to checking `obj.can_delete`).
|
|
|
If the view is targeting an object precisely, DRF's generic views will additionally call the method `has_obj_permission` whose role is to check if the user has the correct ACL for the operation asked (e.g. GET will lead to checking `obj.can_see`, DELETE will lead to checking `obj.can_delete`).
|
|
|
|
|
|
Moreover, for every request made, it is also checking that the user has the right to use the API by calling `api.can_use`.
|
|
|
|
... | ... | |